A pro-Ukrainian hacking group called Bearlyfy has been attributed to more than 70 cyber attacks targeting Russian companies since January 2025, with recent operations deploying a proprietary Windows ransomware strain called GenieLocker, according to research from Russian security vendor F6 via The Hacker News.
Dual-Purpose Operations
Bearlyfy (also known as Labubu) operates with dual objectives: financial extortion through ransomware and deliberate sabotage against Russian businesses. The group first emerged in the threat landscape in January 2025 and has rapidly evolved from targeting smaller companies to attacking major Russian enterprises.
According to F6’s data, approximately one in five Bearlyfy victims ultimately pay the ransom, with initial demands escalating from €80,000 (about $92,100) to hundreds of thousands of dollars in recent attacks.
Ransomware Evolution
The group’s toolset has evolved significantly over time:
- Early Operations (2025): Leveraged encryptors associated with LockBit 3 (Black) and Babuk
- May 2025: Adopted a modified version of PolyVice, a ransomware family attributed to Vice Society (DEV-0832/Vanilla Tempest)
- March 2026: Deployed proprietary GenieLocker ransomware targeting Windows endpoints
GenieLocker’s encryption scheme is inspired by the Venus/Trinity ransomware families, representing a significant capability upgrade for the threat actor.
Threat Actor Ecosystem
Analysis of Bearlyfy’s toolset and infrastructure reveals overlaps with other pro-Ukrainian threat actors:
- PhantomCore: A group conducting APT-style campaigns against Russian and Belarusian companies since 2022, where reconnaissance, persistence, and data exfiltration take precedence
- Head Mare: Another Ukraine-aligned threat actor with shared operational elements
While PhantomCore focuses on sophisticated espionage operations, Bearlyfy is distinguished by rapid-fire attacks characterized by minimal preparation and swift data encryption.
Attack Methodology
Bearlyfy gains initial access through exploitation of external services and vulnerable applications. The group then deploys tools like MeshAgent to facilitate remote access and enable encryption, destruction, or modification of data.
A distinctive trait of Bearlyfy attacks: ransom notes are not generated automatically by the ransomware software. Instead, the threat actors craft messages directly, sometimes sharing contact details or elaborate messages designed to exert psychological pressure on victims.
Implications
The evolution of Bearlyfy from experimenting with existing ransomware tools to developing proprietary malware demonstrates the maturation of pro-Ukrainian cyber operations. As F6 noted: “Within the span of a single year, this group has evolved into a veritable nightmare for Russian businesses — including major enterprises.”
The group’s success rate (roughly 20% of victims paying) combined with escalating ransom demands suggests Bearlyfy has become a sustainable operation, blending ideological motivations with profitable cybercrime.
